I'm trying to connect to WG from AWS and reroute the trafic.
It's seems like the tunnel work but I have no internet from my connected client (eth1)
I try the same configuration on my iPhone it's work just fine,
same configuration from an UDM PRO (WG) it's work too.
Did you make IP routes and rules to use the AWS WG as your gateway?
that's my AWS config
/etc/wireguard# cat wg0.conf
[Interface]
Address = 10.1.1.1/24
ListenPort = 51820
PrivateKey = ##
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
[Peer]
PublicKey = ##
AllowedIPs = 10.1.1.2/32
on OpenWRT, in general settings, I changed the IP to the 10.1.1.2/32 sub
Here is my UDM PRO config, it's work fine -- I turn WG off when try to connect with my iPhone or OpenWRT since I didn't add them to the config file yet but but the Phone and the UDM work fine
[Interface]
PrivateKey = ###
Address = 10.1.1.2/24
PostUp = sh /etc/split-vpn/vpn/updown.sh %i up
PreDown = sh /etc/split-vpn/vpn/updown.sh %i down
Table = 101
[Peer]
PublicKey =####
AllowedIPs = 0.0.0.0/1,128.0.0.0/1,::/1,8000::/1
Endpoint = ##:51820
It's weird it's work but by intermittence, possibly the WAN NIC (Belkin USB-C to eth)
Did you unblock the port on the firewall?
Also why dont you create a route with vpn routing package and then direct the traffic to the correct ip? That would make your life easier, i was having similar issues.
just realised I didn't port forward WG port from my main gateway to the Raspberry PI (OpenWRT), but it's partially working.
What do you mean for the route/VPN routing package?
what I'm try to do is to reroute all the traffic from one client to the AWS server, which work fine with my UDM PRO (I need my client to have a specific IP from AWS) but I'm trying to setup the same with the openWRT which seems to only work partially
When configuring the server side for multiple clients, they must have unique tunnel IP addresses. Associating the same IP (10.1.1.2) with multiple public keys will not work, especially of course if they are actively connected at the same time.
Wireguard does not "push" IP settings or other configuration across the tunnel, so it is necessary to manually set the client's IP and netmask on the client end to match the server's allowed_ip and network subnet.
Test that you can ping 10.1.1.1 from your end. Look at your routing table confirm that it is using 10.1.1.1 as the gateway and the interface is the wireguard interface. Test if you can ping to the Internet with a numeric IP such as 8.8.8.8. Do this both from the router itself and from a LAN device. If that works but you can't go to sites on the Internet, it is probably a DNS problem.
Well if you have an wireguard server on AWS and you want to route it all there then it's quite simple.
Install luci-app-vpn-policy-routing
Then add WAN interface at the Advanced configuration.
Then create 2 rules, one you set the static ip of the machine you need routed to AWS the other one you can put your entire lan.
Your LAN IP you then preroute to WAN
The static IP you route to Wireguard interface, save and reboot.
Ah and dont forget to set the Wireguard interface as " Allow forward from source LAN" on the firewall otherwise you wont be able to make it.
Hope it will work for you.
Thank's a lot I'll try that instead. many thanks.
You don’t need policy routing, but it is fine to use it.
It appears that you don’t have masquerading enabled on your wg firewall zone. You will need that turned on.
On the first rule ? Lan => WAN/VPN? Ok thank you, I will enable it
Masquerading is enabled at the zone level, and actually, now that I look at your picture again, it does look like it's already enabled. I thought the lan firewall zone screenshot was the vpn one.
It is often easier to debug these things by looking at the complete config...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/firewall
Sure, I should have post that originally.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3d:178e:085e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
option if6assign '60'
config interface 'WAN'
option proto 'dhcp'
option device 'eth1'
option peerdns '0'
list dns '1.1.1.1'
list dns '8.8.8.8'
config interface 'wg0'
option proto 'wireguard'
option private_key '##'
list addresses '10.1.1.2/32'
config wireguard_wg0
option description 'AWS'
option public_key '##'
list allowed_ips '0.0.0.0/0'
option route_allowed_ips '1'
option endpoint_host '##.##.##.##'
option endpoint_port '51820'
option persistent_keepalive '25'
and
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3d:178e:085e::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
option if6assign '60'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'WAN'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled 'false'
config include
option path '/etc/firewall.user'
config zone
option name 'vpn'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
option masq '1'
list network 'wg0'
config forwarding
option src 'lan'
option dest 'vpn'
This is wrong, it needs to be /24 so that the server end of the tunnel (10.1.1.1) is also in the subnet.
(Use /32 on a client's allowed_ips to prevent the client from changing to a different IP than intended. This is a security measure enabling IP-based firewalling at the server).
UCI does not know of a network named wg0, since it was created and configured directly by wireguard. There is a device named wg0, so this should be list device wg0.
You may also want to set input to ACCEPT so that you can ping the client from the server end. Or make a rule specifically allowing pings like the one that is on wan.
Now if it still doesn't work, come back and post something more than "it still doesn't work." Do the tests that I mentioned in a previous post and post those results. Dump out the routing table on both sides and confirm that the routes make sense.
===
Also though it doesn't seem to be breaking anything, it would be good to change the name of your 'WAN' network back to 'wan' Uppercase in network names is not a good practice especially since LuCI likes to uppercase and lowercase them on the screen.